IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« APM Logs UI »
Elastic Docs Machine Learning in the Elastic Stack [7.5] Anomaly detection Supplied anomaly detection configurations

Auditbeat

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Auditbeat

edit

These anomaly detection job wizards appear in Kibana if you use Auditbeat to audit process activity on your systems.

docker_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models process execution rates (partition_field_name is container.name).
  • Detects unusual increases in process execution rates in Docker containers (using the high_count function).
docker_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd and container.runtime is docker.
  • Models occurrences of process execution (partition_field_name is container.name).
  • Detects rare process executions in Docker containers (using the rare function).
hosts_high_count_process_events_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects unusual increases in process execution rates (using the high_non_zero_count function).
hosts_rare_process_activity_ecs
  • For Auditbeat data where event.module is auditd.
  • Models process execution rates (partition_field_name is host.name).
  • Detects rare process executions on hosts (using the rare function).
« APM Logs UI »